Tag Archives: Information Security

Securing your digital life

It is long overdue time to rejuvenate the site with fresh information security content that will help you protect what is digitally important to you. The answer to what is important to protect is going to be different for each person but some of the things that are most likely to be important to you are:

  • Protecting your online financial information (online banking account & retirement accounts)
  • Protecting your primary email accounts that often control the reset functionality to other important accounts if you forget the passwords.
  • Protecting your social media presence to avoid embarrassment or being used to infect others with malware
  • Protecting your online file storage including documents and pictures that are important to you
  • Protecting information that you consider private while engaging online
  • Protecting your expensive digital devices from theft

All of us have something important to protect and awareness that you are a target is the first step towards taking the needed actions to lower your probability of having problems down the line. Next up will be suggestions on what you need to do to help safeguard your digital life.

Information Security Management – How to stay out of the news

Information Security and IT Operations have a good bit in common most notably that the #1 goal is to be invisible to the public. Unless your company is in CIO or Information Security magazines being touted as a leader in your field if your company is in the news it is probably bad news.  In IT Operations poor website uptime performance that causes a loss in sales is very visible much like an information security breach in the IT Security field. Dealing with an information breach is not only embarrassing but also has legal implications since there are notification requirements if sensitive employee or customer data is accessed inappropriately or potentially exposed to a breach. I regularly review these required breach notifications to see what information security lessons can be learned and here are the most common themes I regularly see:

Unencrypted laptops containing sensitive data are lost or stolen and information is exposed.

There are a number of information security lessons that can be learned from this but by far the biggest are to avoid putting this type of sensitive data on the laptops in the first place and to utilize encryption to protect laptops containing business information. It is also possible to install some laptop recovery devices to help track these devices down but often times the real value is in the information not in the cost of the lost laptop itself.

Information Security Test:

  • Are you securing your laptops with encryption?
  • Are you preventing sensitive information that could require a breach notification from ever being on a laptop in the first place?
  • Are you auditing compliance to make sure what you think is happening is based in fact and not blindly on what policy says should happen?

Company websites are hacked and sensitive data is disclosed.

The most common problems here are unpatched systems exposed to the Internet, default passwords, and cross site scripting attacks on vulnerable web applications.

Information Security Test:

  • Are you regularly patching your systems as new patches are released?
  • Are you performing web application security audits to validate that your sites are secure and compliant with company policy?
  • Are you managing your sites over secure networks using secure protocols to prevent credentials from being intercepted?

Online banking credentials are stolen and financial accounts are drained

Many different information security principles can come into play here but the most common thing is to avoid falling victim to phishing attacks or having your pc become infected with malware by visiting insecure websites.

Information Security Test:

  • Are you educating your employees about the danger of social engineering and online banking phishing scams?
  • Are you educating your employees about the danger of surfing to internet sites that are of dubious quality?
  • Have you considered the risks of online banking and taken  appropriate protection steps?

Follow these tips and audit your compliance versus them and hopefully your information security measures will help your company stay invisible from a required security notification perspective.

How To Secure Your Wireless Router

Utilizing a wireless network is cheap, convenient and can be a significant productivity boost to your company. It can also be a security disaster if it has been installed out of the box and left that way as wireless routers come with minimum security settings applied out of the box. What should you do to make sure your wireless router is secure? Here are the minimum actions you should take to ensure you are protected.

1. Change your administrative password. Nearly all wireless routers ship with a default or blank password out of the box. Need proof how easy it is for others to locate these default user name and password combinations for any router out there? Visit routerpasswords.com to check it out (note this is also a good method to recover your password if you have thrown out the documentation and ever have to do a hard reset of your wireless router). When setting the password be sure to follow our tips for creating a secure password.

Getting Started: To access the administrative login page for your wireless router you must use your web browser and navigate to the appropriate IP address. Reference your manual or try these common admin urls (while connected to your wireless network)

http://192.168.0.1/ (Dlink & Netgear)

http://192.168.1.1/ (Linksys)

If you are operating from a Windows machine you could also try Start>Run> cmd. Type ipconfig at the command line and locate the Default Gateway. This should be your wireless router admin location assuming you are connected from the wireless router. (if none of these work I recommend a google search for the type of wireless router you have and admin url, example: dlink and admin url).

2. Turn on encryption. It is estimated that over half of wireless networks are set to open status and that sounds about right. You can not afford to do that with your business or home network so I recommend at a minimum you utilize WEP encryption and preferably WPA or WPA2 if your device supports since they are more secure.

Max Size 128 bit WEP key = 26 characters

Max Size 256 bit WEP key = 58 characters

Max Size WPA passphrase = 63 characters

When setting encryption treat it like a password and never pick words or phrases that are easily guessable or in the dictionary. A good general rule is some encryption is better then none and longer keys are better then shorter ones. If your network is used by many individuals you likely will have to pick your own sweet spot  between usability and security.

3. Update the wireless router firmware – Vendors provide updates to increase functionality and eliminate security vulnerabilities. Failing to update to the most current levels could leave your wireless network vulnerable.

4. Change the Wireless Network SSID – It typically adds little in security but lowers the temptation for casual snoopers to dive deeper as many Internet freeloaders only look for default unprotected network setups.

5. Disable SSID broadcast – This is similar to step 4 in its value (mainly just adding some obscurity to your setup) but it can help keep out unskilled would be freeloaders.

6. Consider using MAC address filtering options if you have a relatively stable environment with few guests utilizing the network. It adds a lot to security but can be an administrative headache so make sure your going to do it right if you implement it.

7. Backup your wireless network configuration and save it to a location where it can be recovered if you are forced to do a restore. This step can save you a lot of hassle if you are ever forced to do a hard reset on your wireless router.

Feel free to post any questions you may have and I will do my best to assist.

FBI advisory for Businesses – Online Banking Accounts at risk

Online banking security related risks have received more attention from me then any other information security topic and rightfully so! Not many other business related risks can quickly put a company out of business, but the fraudulent theft of an entire bank account could force closure if invoices and payroll can not be paid. After analyzing a lot of recent frauds the FBI has acknowledged that online banking is risky for businesses and has issued a fraud advisory detailing typical fraud methods and ways to protect your business from becoming a victim.

The fraud advisory begins by mentioning that cyber criminals are targeting financial accounts of owners and employees of small and medium sized businesses and that the result has been significant disruption and often unrecoverable lost funds (as we have mentioned previously here since regulations do not adequately protect businesses right now). Several examples are also provided very similar to other cases we have previously highlighted. The highlighted method of compromise is targeted phishing emails that either have an infected attachment or link the victim’s click that sends them to a malicious site that compromises their machine. Once their machine is compromised key logging software is installed to record keystrokes and online banking credentials are obtained when the victim logs into their account on the compromised machine. The cyber thieves then strike at an opportune time to drain the accounts of their contents often in increments of $10,000 or less to avoid suspicion.

What does the FBI Advisory recommend to avoid becoming a victim?

1. Educate your users to not respond to unsolicited emails and to never open up documents or click on links. If it appears to come from a financial institution or government agency and you feel it is legitimate engage that institution directly and avoid the suspicious files or links.

2. Secure Your computers and networks

3. Enhance the security of your business banking processes. The FBI recommends dual control where it requires one person to authorize a payment creation and another to authorize the release of the payment from a separate system. This is a good protection to segregate the duties and also helps to mitigate typical non cyber fraud but you should be warned that often times multiple accounts at a given company are targeted so it is not a full proof control (but a useful additional security step). The FBI also recommends SMS text payment notifications or direct phone notifications which can help detect a fraud early in the process and limit the damage.

4. Monitor accounts daily – The sooner you detect a problem the sooner you can work on correcting it and recovering your losses.

5. Pay attention to any warning signs that your machine may be compromised including anti virus system warnings, pop up alerts, sluggish response, or if you can not shutdown or restart properly.

6. Understand your responsibilities and liabilities – This recommendation is useful because many businesses have a false sense of security and believe that personal banking laws also apply to their business. They often do not so find out now so you can make an informed decision if the risks of online banking are worth the risks that it entails.

Information Security for laptops, desktops, and servers

Your companies laptops, desktops, and servers are critical for most of your major business processes from customer management to invoicing, accounting, and payroll. If your systems are not available for use you can not perform these activities and keep your business operating effectively. Worse yet, if your devices have been compromised your data is not secure and it can be deleted, manipulated or misused for financial gain by cyber criminals. Simply, keeping your systems secure helps keep your business secure.

Here are the key items you need to consider to stay protected

Update your software – The developers that make the software you utilize are not perfect, in fact there are thousands of yet to be detected errors in every piece of software you own. Nearly every company is regularly updating its software to improve functionality and eliminate security vulnerabilities and you need to quickly update your systems to prevent against known security threats.

Utilize auto update functionality – For most desktop/laptop systems auto updates are the best way to ensure that you are installing any needed security patches in a timely manner. This link to Microsoft’s site shows you how to set the auto update functionality for their most common operating systems. Application software updates for the common applications you use including Microsoft Office, and Adobe among others are also required to round out your protection. Your internet browser (whichever you choose to utilize) is also one of the most critical things to have running at the most current version because a lot of malware is picked up via the Internet.

How to update Internet Explorer – While in IE go to Tools > Windows Update and install any recommended patches

How to update Firefox – While in Firefox go to Help > Check for Updates

* Note it is also important to ensure any Firefox updates you have installed are updated in a timely manner when a new release is available.

How to update Google Chrome – Follow the instructions provided by Google in the attached link.

The one exception you should make for auto updates is to not perform it on critical servers. All updates should be tested in a more controlled manner on a critical server to avoid potential problems with new security patches.

Utilize Antivirus software – Antivirus software is essential for minimizing the risks of getting infected with all forms of malware including viruses and worms. If you do happen to get infected antivirus software can often help you fix the issue and remove the problem. In addition to antivirus software, Microsoft’s Malicious Software Removal Tool is an excellent free tool that offers malware removal options.

Practice Safe Internet Browsing – Educate your users and train them to limit their Internet activity to trusted sites to lower their chances of picking up nasty malware. Even if you patch and have anti-virus you could be pushing your luck if you visit untrusted sites as a 0 day vulnerability could be waiting to infect your systems and defeat the other security mechanisms you have implemented.

Online Banking Security – Another Town Bites the Dust

Just in case you thought I might have been crying wolf over the risks of online banking and the need to implement online banking security measures here is another report that proves the risks are very real. Another New Jersey city has become a victim of online banking fraud because they failed to implement adequate information security measures. The city feels confident they will recover most of the $400,000 that was lost but if I was a taxpayer in that area I would be very concerned about the lax information security practices that put the funds at risk to begin with.

The article linked above from Brian Krebs is a great read because it shows fascinating detail into the other end of the criminal process, how do the criminals get the money out without getting caught? Cyber thieves are utilizing social networking, job boards and a high unemployment rate to their benefit to recruit “money mules” that help move the money around quickly and minimize the likelihood of them getting caught. This is a good example of how the scam works and shows you what kind of thieves you are up against.

Remember online banking is convenient but a lot can go wrong if you are not taking information security seriously. Just as Brigantine, New Jersey could not rely on their bank to stop unauthorized transactions neither can you. The security of your financial health is reliant on you so get started today.

Information Security – Is it a productivity road block?

Image provided by http://www.flickr.com/photos/wwarby/

A recent survey conducted by Government Business Council shows that many officials in government agencies think information security is a barrier to increased productivity.The survey references blocked websites that prevents access to needed information and inability to effectively work remotely (presumably due to security limitations) as the primary pain points. An interesting but unsurprising side effect noted in the survey was that user’s who are blocked from getting information in one method will sometimes resort to utilizing less secure methods to access the information.

How do your users feel about information security impacting their productivity? If you have not asked recently through informal checks or surveys you may be surprised. They likely feel the same way and may be taking additional risk to access the information they are trying to get. It is important to balance information security protection with usability to ensure you are not missing opportunity or limiting productivity.

Some things to consider

  1. Information security requires continual education and engagement with your user community. It involves a give and take where you must educate and inform but also listen to feedback to ensure you have not set up unneeded barriers that negatively impact productivity
  2. As much as possible schedule security scans to occur at a less than peak time to minimize disruption. When this time is will vary by company so plan it based on your business requirements
  3. If you have implemented web filtering create a feedback loop so you can learn about web sites needed for business use that are being blocked inappropriately. Evaluate and take action as appropriate to show that you are listening and care about business requirements. This is an important step to building trust that will help further all of your information security objectives later on.
  4. Remember when people think security is a barrier they will be creative and potentially use unauthorized methods to get what they need. It is better to understand what user pain points are and help them be removed vs. giving an incentive to get around the barriers that could cause a big exposure.

In closing, be sure to build a relationship with your users so you can find out how they really feel and validate that your information security program is meeting business requirements.

Network Security – Get a firewall

No firewall is like playing with fire

Photo courtesy of http://www.flickr.com/photos/catsegovia/

Network security is one of the more technical subjects of an information security program but it is essential to your overall security health. Your network is your pathway to all of the essential business processes that happen to and from the outside world. The same connectivity that enables business also comes at a cost increased risk of suffering an information security incident if you do not implement firewall protection to prevent undesired traffic to your network. Security tests have shown that a computer directly on the Internet can be compromised in minutes even if it is configured with minimal functionality. Simply put running without a firewall is playing with fire. A secondary benefit of having a firewall is that it is a way to validate that your network is not part of a botnet that could be stealing your data or using you for other nefarious purposes. Regular review of firewall logs can help quickly detect if you have a problem that needs to be followed up on.

Technically a firewall can be either a hardware appliance or software that resides on a machine but for our purposes I will assume you plan to utilize a hardware appliance type firewall. The type of firewall that you should choose depends on the size of your organization and your protection requirements. That being said the general principle is that any firewall that is properly configured is better then none.

Some of the leading providers of appliance based firewalls include Cisco, Juniper, Check Point, and SonicWall. All of these companies offer models that can meet the needs of smaller operations all the way to large enterprises. A smaller company (without a present firewall) that gets Internet from a cable or dsl connection should consider an integrated wireless router/firewall model. These are often the same models utilized by home users and serve the purpose of separating the network from the Internet at an affordable price. Some of the vendors that specialize in this market include Linksys, Dlink, Netgear, and 3Com.

In the future, I will provide a more detailed review of firewalls and features but for now if you don’t have a firewall you don’t have time to wait. Get a firewall and get a little more secure.

Information Security and Physical Security

Photo Courtesy of http://www.flickr.com/photos/eprater/

Information security is often thought to be very technical in nature and a lot times it is. After all technology is exciting and many people prefer to focus on firewalls, intrusion prevention systems and other state of the art technologies. Physical security is an essential often neglected aspect of information security and it is every bit as important as the more technical aspects. If you neglect implementing adequate physical security measures all of your other efforts can be in vain.

The following are the primary business risks if you fail to implement adequate physical security measures:

  • Disclosure of sensitive business information
  • Theft of your business assets
  • Financial loss for replacing assets
  • Loss of ability to use data that may be critical for sustaining ongoing operations (if no backups are available)
  • Negative publicity if the event is disclosed

So now that you agree it is important what do you need to do? One of the first steps should be to perform a risk assessment so you can document and prioritize based on business risk. This helps you focus your efforts and decide how much you are willing to spend to mitigate certain risks. I will provide a sample risk assessment at a later date to serve as a template but for now here are items to consider when implementing  physical security.

Physical Security Things to Do At Your Business

  1. Control access to your business facility to only allow authorized personnel inside. At the minimum this should mean securing your business at least as much as you do your home. Locked doors, security systems, and  or more advanced control mechanisms like building control devices.
  2. Secure rooms with computer servers and networking equipment in it with an additional level of security. Ideally physical access to these systems should be restricted to individuals that need to access them. In addition, a simple guest log in book is a good way to document who is accessing a security controlled room (of course badge access control is even better but it is all based on your cost/risk tolerance).
  3. Consider using a camera/DVR based security system. I have not yet purchased one but for under 400$ I am looking to get one very soon likely the Defender SN500. This set looks quite nice and is very cost effective for the additional protection it provides.
  4. Utilize cable locks for your desktops, laptops, projectors and network equipment. Physical theft is the greatest threat to these assets so lock it down to get a little more secure.
  5. Lock up sensitive physical files in drawers or cabinets and do the same with portable electronic media such as USB devices or cd/dvds.
  6. Make sure you follow our backup tips to ensure you do not lose critical data in the event of an environmental disaster such as a fire or flood.

Physical Security Things to Do on the Go

Laptop thefts are the biggest risk to your business assets while in transit. Follow these tips to make sure you minimize your likelihood of becoming a victim of laptop theft.

  • Place your laptop in your trunk immediately when leaving work for the day. A majority of laptops stolen from vehicles are stolen because they are visible tempting targets to thieves.
  • Never leave your laptop unattended when it is not locked up. Keep an eye on it at all times much like you would a small child playing in the yard.
  • Consider utilizing a laptop recovery service if you will be storing sensitive information on your machine.
  • When traveling on a plane never check a laptop always carry it on yourself.
  • If you are in a hotel room the best option is to lock your laptop in the in room safe. Next best options include using a cable lock to secure it to some furniture or shelving in the room. A last resort option is to use the do not disturb sign and hide it as best you can as recommended in these tips from Microsoft.
  • If you have to step away for even just a moment ask a trusted person to keep an eye on it for you. If there is no one available take it with you.

In summary, do not neglect physical security as part of your information security program. Doing so will leave you with a false sense of security and an incomplete protection program.